spgo
spgo copied to clipboard
chrishasz
[Multi factor authentication] Using Azure AD instead of ADFS on-premise
Hi SPGo team,
Good day, due to we are using Azure AD instead of ADFS on-premise, Could SPGo support multi factor authentication like this situation? Current environment:
- SharePoint Online
- Authentication Type (ADFS? might be) Thanks in advance!
Hi team, Good day, Could I know any update about this situation? thanks a lot~
How do you have Azure AD configured? In most cases, you should be able to authenticate with username+password and Digest authentication as described here: https://www.chrishasz.com/spgo/authentication/digest-authentication
If you do use some interactive mechanism for authentication like MFA, then there is a limitation in VSCode which doesn't allow me to load a remote web page. You may be able to setup an app password. I'm also working on support for Addin-Only authentication, but I don't have a firm date on when that would be ready.
hello @CaoXue95 - SPGo supports Addin-only authentication as of version 1.7.0.
I still do not support MFA with interactive login, unfortunately.
Hello @chrishasz . First of all congrats for your great work.
Is there any planned milestone including this MFA feature? I see the underlying node-sp-auth library already includes the on demand authentication mechanism, but it cannot be bypassed because SPGo keeps crashing while verifying credentials. I guess it's not that easy as accepting a new authenticationType with the appropriate authenticationDetails, right?
Hello @Jbelmonte -
The barrier to supporting this right now is VSCode itself. The extension runtime actively blocks/prevents any browser windows from being opened interactively by an extension. This is the root cause that prevents me from supporting this functionality via node-sp-auth.
There are a few options that I've seen other extension authors use:
- Use an HTTP/Proxy library to host a website on the users's machine and proxy/iframe the interactive login window and then scrape the JWT token.
- Use an automation tool like Jest to run a task that opens a browser window to perform the authentication step.
Neither of these is particularly attractive. Option 1 will likely be blocked by many default or enterprise browser configurations. Option 2 requires a specific browser be installed (Chrome, FF, Brave) and I don't want to make the assumption or requirement regarding which browsers are installed on a user.
Both of these options also undermine my vision that SPGo is lightweight and unobtrusive.
I would love to support this feature and I welcome any creative suggestions for how to make it work.
Understood. Thank you very much for your detailed explanation. Unfortunately I don't know how to help you to solve this situation. I guess I should explore the Addin Only authentication mechanism approach. Again, thank you @chrishasz .
@Jbelmonte please let me know if you have any issues getting the app password or addin-only auth working and thank you for using SPGo!
Hi @chrishasz, I don't fully understand the blocker here, but have you considered DeviceCode style authentication? I've used it in another JS project and it works well, even without a browser being involved. It just prints a URL and a code to the console and the user has to paste the code into the URL and then it sends back a token. Nice and easy.
Hello @chrishasz, great extension, but the MFA support recently affected our team when security policies changed, and Digest no longer authenticates.
I wonder if the issue you described in response to @Jbelmonte on Feb 7, 2021, is still true. If I use the Powershell extension from Microsoft and issue this command: Connect-SPOService -Url https://{ourdomain}-admin.sharepoint.com/ inside VS Code, it prompts me to authenticate. I don't know enough about extension development to know if this means the issue has been resolved or if I'm misinterpreting the difference between it and SPGo.
Microsoft PowerShell extension
